How Meltdown and Spectre affects your Joomla site

You have probably heard about the Meltdown and Spectre attacks by now. The discovery of these critical vulnerabilities was announced at the start of the year and has been making headlines since.

Now that the dust has settled we can take a look at what we have learned so far.

Why is this such a big deal?

These vulnerabilities affects almost every laptop, phone or server that has a modern Intel CPU.

In short, it allows anyone with access to a server to read memory from other processes, making it possible to read passwords or other sensitive information. On virtualised environments, it can even allow one virtual machine to access memory from another virtual machine.

Although this has very serious implications, it's not as easy for an attacker to exploit this, unlike other vulnerabilities like Heartbleed.

How to fix Meltdown and Spectre flaws?

Almost all popular operating systems have received the first batch of security updates to mitigate the Meltdown flaw. As an end-user you just have to install the latest updates when prompted.

We have installed the patches on all of our servers and we advise you to do the same.

If you are on shared hosting, get in touch with your provider to verify! We sent out an email to all our hosting customers to let them know that we have updated our servers.

There will be more updates to come so keep an eye out for them.

Is there a loss in performance?

Unfortunately, this patch brings with it a performance penalty. The operating system has to introduce additional software logic to secure it.

It seems we're not exempt from these consequences either. This graph shows how CPU usage increased as soon as the patches were rolled out on one of our servers:

CPU usage after applying the patch increases

This has a direct impact on application response times: some requests are taking longer to complete. Our initial benchmarks show a 5% - 35% decrease in performance, depending on workload and traffic.

All our servers were able to handle this additional load so we did not have to increase capacity.

What can we do to improve our performance?

You can try to increase server capacity by adding more CPU cores, but that can be costly. You can optimize your Joomla site by using better caching mechanisms and rewriting slow parts of your application. Or you could have a team of experts optimize your site for you.

If you need an immediate solution, you can disable the new page-table isolation feature. But that will leave your system unprotected.

A new kernel feature called PCID can potentially help mitigate the performance problem. Unfortunately it's only been available since Linux kernel version 4.14. On top of that there are not many hosting companies that offer the required CPU feature.

What's next?

It is expected that this vulnerability will have consequences for many years to come. Although it's not straightforward for an attacker to exploit this flaw, it's uncertain what will happen in the future.

We recommend that you set up a good strategy to test and roll out future security updates quickly. You should also have a decent monitoring system in place to measure the impact on performance.

Written by

Steven Rombauts

31 Jan 2018

Join 23000+ others and subscribe to our newsletter!